Evaluating Performance of Web Application Security Through a Fuzzy Based Hybrid Multi-Criteria Decision-Making Approach: Design Tactics Perspective

Design of software can have a major impact on the overall security of the software. Developing a secure website design is a challenge for architectures. It depends on different and tough decisions which determine the security of website. Increasing number of vulnerabilities increase the level of security requirements. Hence, security design tactics are to be adopted to satisfy these security requirements. Security design tactics are the mechanisms to define, detect and mitigate vulnerabilities and attacks. Therefore, faults in the application of security tactics or their weakening during website maintenance could be one of the key reasons behind the emergence of new and severe vulnerabilities that can be targeted by the hackers. There is a need for in-depth analysis of security tactics and its prioritization for the sake of determining the most prioritized factor. This will further help in gaining a more secure system. In this research study, the authors have used the hybrid method of Fuzzy AHP-TOPSIS (Analytic Hierarchy Process-Technique for Order Preference by Similarity Ideal Solution) for the evaluation of security design tactics and its attributes. The efficiency of this approach has been tested on a real time web application of Babasaheb Bhimrao Ambedkar University, Lucknow, India. Further, different web applications of the University have been used to validate the obtained results. This study’s evaluation of the most impactful web application design for improving security will help the architects to secure systems by using security tactics.


I. INTRODUCTION
Software was designed to satisfy the business goals of organizations. Software architecture is the association between its design and desired goal [1]. There is a constant pressure on the website developers to secure website that is using its design and architecture. For the achievement of this goal, website developers work thoroughly from ground to top of security of design [2]. However, these design solutions are often not enough to compensate the problems that arise due to security thrashing. Part 3 of the manual for critical safety, IEC-61508 states that security is obtained basically from developing safety strategy in website [3].
The associate editor coordinating the review of this manuscript and approving it for publication was Luca Ardito .
According to a report published by the Computer World India, British Airways was stuck by website failure due to which 100 flights were cancelled and 200 were delayed [4]. This kind of website failure forces the developers to think about what went wrong during the design of website which could have led to this grave setback. Security design tactics bring the solution for security related design issues.
According to a report by Lars Lofgren, approximately 54% of the companies universally say they have experienced at least one attack within the last year. The report also highlights that just 38% of businesses were prepared to handle these cyber-attacks [5]. Website defects that disturb the security requirements are called vulnerabilities. When a defect occurs in the system, the system becomes vulnerable to other defects. Architectural solutions such as security frameworks, tactics are available for the developers to adopt and secure website [6]. This article's contribution includes investigation of factors or attributes that contribute to security design tactics. Furthermore, this research study also analyses the prioritization of these attributes to find out the most relevant attribute among a number of attributes. This prioritization will help the security designers to primarily focus on that specific attribute of security tactics of web application which would increase security to a specified level.
In addition, the field of multiple criteria decision analysis provides several methods and tools to prioritize different attributes of a concerned problem. Prioritization of different attributes is a multiple criteria decision making problem. Hence, the results of the prioritization process may facilitate the experts in taking suitable decisions as well as in initiating the required action. Essentially though, to make an appropriate decision for tactics, decision makers not only need to know the security design tactics attributes that contribute to overall security of website but also identify the most usable attributes among them. This article takes a Fuzzy AHP-TOPSIS evaluation model for prioritization of contributing factors of security design tactics and overall security assessment with respect to alternatives. This evaluation will help the security designers in maintaining and improving web application security through weights of specific factors at the early stage of development life cycle. A good design of web application would not only reduce both the time invested and costs incurred in maintenance but also enhance the life-span of web application services [3], [4].
The hybrid technique of Fuzzy-AHP and Fuzzy-TOPSIS approach has been found to be adequate and effective in several areas [7], [8]. During monitoring, controlling, arranging, and decomposing the decision problem, features of the hybrid technique of Fuzzy AHP-TOPSIS make it more conducive than the other applied methods for assessment [9]. The authors of the present study have evaluated the weights of the security tactics through Fuzzy-AHP technique and the impacts of the factors on different alternatives have been estimated through Fuzzy-TOPSIS method. In this study, eight alternatives of institutional website applications have been taken for evaluating the impacts due to sensitive information.
The rest of the paper is arranged as follows: Review of Literature is presented in the second part of the paper. The third section presents the security tactics with its hierarchy of contributing factors. The fourth and the fifth section define the methodology and its implementation. Comparison with other methods and sensitivity analysis are shown in sixth and seventh sections. Discussion and conclusion are presented in the eighth and ninth sections, respectively.

II. RELATED WORK
Organizations put great effort in providing secure services to its end users. The most challenging task in recent years has been to fight cybercrime with the help of secure website. The main problem in reducing cybercrime is the unavailability of a single framework which can integrate security and design tactics together by considering the factors of both [10]- [12]. Several research endeavours have been proposed in the context of security [2]- [6], [10]- [16]. Some of the relevant studies being: Santos et al. [10] in 2019 presented an empirical study on tactical vulnerabilities by proposing Common Architectural Weakness Enumeration. In this study, the authors categorized the vulnerabilities in two segments which were the tactical and the non-tactical. 223 different tactical vulnerabilities were found in the study and it showed how architectural weaknesses have created severe vulnerabilities.
Osses et al. [11] in 2019 proposed a card based selection game for selecting security tactics. These practitioners also identified some important security architectural tactics based on the objectives. Further, experimental setup was created and results showed that TaSPeR supports sponsor's participation and collaboration for security tactics selection.
Marquez et al. [12] in 2018 provided a comprehensive survey and review on security tactics for software vulnerabilities. In this work, the authors prepared a set of research questions related to software vulnerabilities and security tactics and searched the most appropriate answers for those. This empirical study focused on tactical and non-tactical vulnerabilities in three real time software systems. Alashqar et al. [13] in 2017 proposed a framework for choosing the best architectural tactic. This framework proposed the developing of transaction processing systems. To achieve the required levels of quality attributes, the framework used Choquet Integral approach with fuzzy measures and analysed the impact of quality attributes on security tactics. Further, the framework also used quality attributes to compare different probable architectures.
Osses et al. [14] in 2016 reviewed the literature from tactics and cleared the ambiguities about the terminologies of security tactics. A modified tactic was also given in this paper for security design.
Ryoo et al. [15] in 2016 examined the gap between security tactics and actual implementation of security architecture. The authors tried to achieve the goal of an effective architect's intention to use security tactics, and checking whether the tactic is manifested during designing process of open source website projects.
Ryoo et al. [16] in 2010 proposed a novel approach for bringing tactics from already developed design patterns. This work focused specifically on the security patterns instead of using all design patterns.
From the review of literature of the past work, it is evident that numerous researches have been done for selecting the best tactics for software security, qualitatively [15], [16]. But, there is a need for a common framework of both the qualitative and the quantitative assessment of security by estimating the impacts of security tactics and tactics attributes. However, selecting and evaluating the impact of tactics is a decision making problem [17]. Hence in this paper, the authors proposition an approach for security assessment by using an effective fuzzy based hybrid approach of AHP-TOPSIS.

III. SECURITY TACTICS
Significant efforts have been made to ensure security of the web applications, yet, even after continuous maintenance, systems remain insecure [5], [6]. Sometimes a slight and a simple change in the design may harm the web application [18]. The demand of secure website application led to the proposal of working on architectural tactics of security in design. Security tactics are a useful tool that can help to analyze and comprehend the facets of secure website design [7]. ''A security tactic is a design concept that addresses a security problem at the architectural design level'' [15], [16]. There are three main categories of security tactics. These are, the Availability based tactics, Testability based tactics and Usability based tactics [17]. Although tactics are fine grained, they are not atomic. They can be refined, so there is hierarchical structure of security tactics. After a thorough study of literature, the authors of this study have tried to build a hierarchy of security tactics which is given in figure 1.
In figure 1, security tactics are divided into three attributes of tactics which are the availability, testability and usability. This hierarchical structure and combination is taken from [10]- [13]. Availability plays an important role in building a secure system and maintaining security. Availability is the ability of the web application to deliver a service that is reliable with its requirement [2]. Testability means the ability of system to be tested for insecure attacks which is also important to maintain security [3]. Usability is the ability of the system to learn easily which ensures security from the user's end [4]. Further, availability, testability and usability are divided into their sub-attributes. The sub-attributes including fault detection, manage input/output, support user initiative, etc., have their sub-attributes in the next level of hierarchy. These attributes or tactics of availability, testability and usability are defined as follows: • Fault Detection (T11): Availability tactics has four security tactics within it [3], [4]. Fault detection is one of them. Detection of failure influences the availability of data. It is influenced by three factors: Ping (T111), Echo (T112) and Exceptions (T113). Ping and echo are used to detect failure and occurrence of exceptions helps in identifying any failure.
• Recovery Preparation and Recover (T12): Fault recovery is one important concern while preparing availability security tactics [3]. Recovery preparation and recovering from a fault has further three factors which are Voting (T121), Active Redundancy (T122) and Passive Redundancy (T123) [3], [4]. Process of voting for a component helps in recovering from a fault. Active and passive redundancy passes the information of parallel faulty components to another component.
• Recovery Reintroduction (T13): Fault recovery with its reintroduction in security tactics is an important concern [4]- [10]. It has three factors within it which are Shadow (T131), Resynchronization (T132) and Rollback (T133). Shadow is when a removed fault has already been running in a shadow mode. Resynchronization is upgrading the state of component before it recovers. Rollback is after the fault recovery has been done and component is to be roll backed to the previous data.
• Prevention (T14): Fault prevention tactics include those tactics factors which are responsible for preventing fault from it including Removal from Service (T141), Transactions (T142) and Process Monitor (T143) [3]- [12]. Removal from Service tactic eliminates a module of the web application from procedure to undertake some activities to prevent the predicted failures. A transaction is the collection of several consecutive steps in such a manner that the entire collection can be undone at once. Process monitor can delete the nonperforming process and create a new instance of it once a fault in a process has been detected.
This security tactics is used for managing input/output while system is in testing [4]- [13]. Manage I/O tactics includes two security tactics: Record (T211) and Specialized Access (T212). Record refers to the capturing of information and using it VOLUME 8, 2020 as input for a testing while specialized access allows the capturing the variable values for a component through a test.
• Internal Monitoring (T22): Internal Monitoring is a state when a component can implement tactics based on internal state [5], [11]. It has three security tactics: Built-in Monitors (T221), External Audit (T222) and Audit Trail (T223). For doing the internal monitoring and implementing the security tactic, built-in monitors help in achieving this goal [3]. The external audit and audit trail analyse the logs of the work done in internal monitoring.
• Support System Initiative (T32): This usability based security tactics is user friendly but supports the system rather than the user [20], [21]. Hence it includes tactics such as User Model (T321), System Model (T322) and Task Model (T323). Maintaining a model to support system initiative is necessary. Therefore, three models of user, system and task based tactics have been made in this.
For better understanding during the assessment process, the authors have named attributes and sub-attributes in hierarchy as T1, T2, and T3 for availability, testability and usability, respectively. Further, in the next level T11, T12, T13, T14 have been used for fault detection, recovery preparation and recover, recovery reintroduction and prevention, respectively. T21 and T22 have been used for manage input/output and internal monitoring, respectively. T31 and T32 have been used for support user initiative and support system initiative, respectively. Next level attributes have been named as T111, T112, T121, T211. . . . . . as their respective hierarchical representation. Security tactics plays an important role in building a secure system. Further, its attributes and sub-attributes play an even more important role in building this security with their tactics [22]. For example, testability tactics is divided into two parts which is to manage input/output and internal monitoring. Building secure systems by using architectural tactics is supported by record, specialized access, build in monitors, external audit and audit trial tactics. Hence, these are also incorporated in hierarchical format of testability tactics.
This paper is focused on bringing out the single most important tactic which must be accorded the highest priority to secure the system by using security tactics. To fulfill the stated intent, this empirical study uses Fuzzy AHP. Further, Fuzzy TOPSIS method is used for evaluating the impact of these attributes. The potential of hybrid method of Fuzzy AHP-TOPSIS methodology proves to be good in measuring several qualitative attributes [9]. The next section explains the methodology of hybrid Fuzzy AHP-TOPSIS process.

IV. INTEGRATED FUZZY AHP-TOPSIS METHOD
The call for secure website development by using architecture tactics has led the architects to consider different criteria for different scenarios. Multiple attributes and sub-attributes that help in producing a secure website should have some prioritization process that would help the developers to decide the most promising tactic to be used for achieving optimum security [23], [24]. This problem contains different attributes which makes it a multi criteria decision making problem. Multiple theories have been developed for solving such kind of problems. These theories include the Fuzzy AHP, Fuzzy ANP, TOPSIS, ELECTRE, etc., [7]- [9]. Authors in the present research are using hybrid method of Fuzzy AHP-TOPSIS for this assessment.
Fuzzy-AHP is the methodology used to help with the tough choice problems because Fuzzy-AHP is objective in nature and looks for best alternative among the number of choices. The problem is divided into a hierarchical structure to solve it. The hierarchical structure for security tactics has been presented in figure 1. This hierarchy is prepared by using the experts' opinions for the concerned issue. Fuzzy membership function defines the problem into numerical values. Authors are using triangular fuzzy numbers as a membership function in this paper. The next step is to build the Triangular Fuzzy Numbers (TFN) from the hierarchal structure. With the help of effect of one attribute on various attributes, pair-wise comparison of each collection of ordered attributes is assumed to be a crucial job.
The next step now is to convert linguistic values into crisp numbers and TFN. There are various types of membership functions triangular fuzzy numbers, trapezoidal fuzzy numbers, sigmoidal, Gaussian and many more. According to this research design, the authors utilize the TFN and TFN lies somewhere in the range of 0 and 1 [25]. The reason for such selection of TFN is the computational straightforwardness of TFN enrollment capacities and their capacity to manage Fuzzy information. Triangular fuzzy numbers used in this paper range between 0 and 1 [26]. Additionally, the verbal values collected from different experts are denoted as: likely important, strongly important, etc., and crisp values are considered as 1,2,. . . . . . . . . 9. Furthermore, a fuzzy number called T on a is TFN, and its membership functions are known in equations. (1)(2): In the above equation L, M, and U are considered as lower limit, center farthest point, and maximum breaking point, respectively, in the triangular fuzzy number. Figure 2 portrays a TFN.
A TFN is stated here as (L, M, U). Experts elected scores to the attributes influencing the qualities in a quantitative manner as indicated by scale that is exhibited in table 1 [25].  To change the linguistic values to numeric ones, equations (3)(4)(5)(6) are used [25] that are assigned as (L ij , M ij , U ij ) where, L ij is lower limit, M ij is, center farthest point and U ij is, and maximum breaking point values. Furthermore, TFN [η ij ] is said as: where and Equations (3-6), J ijd show the relative importance of two attributes for each other where i and j represents the value given by practitioner or expert d. ij is evaluated using the geometric mean (GM) of expert's given value for a specific judgment. The geometric mean (GM) is used here because of its proficiency in correctly assessing the responses received from experts, which is also a comparative relation between two attributes. Additionally, equations (7-9) are basic mathematical equations on two TFNs. Consider two TFNs N1 and N2, N1 = (L1, M1, U1) and N2 = (L2, M2, U2). The standards of activities on them are as: Subsequent to getting the TFN esteems for each pair of examination, a Fuzzy pair-wise correlation matrix is developed as n x n lattice with the assistance of equation (10).
wherek k ij speaks to the d th experts inclination of the i th measure above the j th measure. In the event that more than one alternative is available, at that point the normal of the inclinations of every expert is acquired with the assistance of equation (11).k ij = d d=1k d ij (11) Next stage is to refresh the pair-wise correlation matrix for all elements in the chain of importance based on the found the middle value of inclinations with the assistance of equation (12). A = k 11 . . .k 1n · · · . . . · · ·k n1 · · ·k nn (12) After this we utilize the GM method as appeared in equation (13) to depict the Fuzzy GM and Fuzzy weights of each factor.
Following step is to calculate the attribute's Fuzzy weight through the assistance of equation (14).
Further, to figure the normal and standardized weight criteria with the assistance of equations (15)(16).
Moreover, the Center of Area (COA) strategy is utilized to compute the BNP (Best Non-Fuzzy Performance) estimation VOLUME 8, 2020 of the Fuzzy loads of each estimation with the assistance of condition (17). (17) Fuzzy TOPSIS: The fuzzy TOPSIS (Technique for Order Preference by Similarity to Ideal Situation) is used to pick one criteria when there are multiple criteria available with reference to only selected standards [26], [27]. In the TOP-SIS two new approaches of FPIS and FNIS are proposed, which is to approach an alternate that is adjacent to the Fuzzy Positive Ideal Solution (FPIS) and utmost from the Fuzzy Negative Ideal Solution (FNIS) is chosen as optimum. An FPIS is the collection of the best piece of values for each alternative whereas the FNIS is the collection of the worst piece of values. Fuzzy AHP-TOPSIS procedure is as per the following: The weights that have resulted from AHP are used in further steps. This work applies Fuzzy AHP to find out the Fuzzy weights with the support of equations (1-16) above. Additionally, by using the equation 18 and table 2 the experts create the Fuzzy matrix and give preferences for the perfect attributes as alternatives for the measures.
where,x ij = 1 D x 1 ij · · · ⊕x d ij ⊕ · · ·x D ij , andx d ij is the performance rating of the alternative A i with respect to factor C j estimated by the d th practitioner andx d ij = (L d ij , M d ij , U d ij ). Following stage is to standardize the Fuzzy choice matrix through the help of equation (19). The standardized Fuzzy choice matrix spoke to byP is portrayed as follows. P = p ij m×n (19) Afterwards, the stabilization procedure can be assessed through the assistance of equation (20).
On the other hand, we can set the best desired level U + j and j = 1, 2...n is equivalent to 1; generally, the most remarkably is 0. The consistentp ij keeps on being TFNs. For triangular fuzzy numbers, the normalization procedure can be performed in the similar way. The weighted Fuzzy standardized choice lattice (Q) is measured with the assistance of equations (14).
where,q ij =p ij ⊗w ij and after that, characterize the Fuzzy Positive-Ideal Solution (FPIS) and Fuzzy Negative-Ideal Solution (FNIS). The weighted standardized Fuzzy choice lattice shows that the componentsq ij are constantly positive and FNIS A − (the most exceedingly appalling levels) as appeared in equations (22)(23).
Closeness coefficients are determined in the next step, and build up the choices to accomplish the aspired levels in each attribute. Chou et al. [26] recommended that this closeness coefficient CC i is cleared to assess the Fuzzy satisfaction degree based on the Fuzzy closeness coefficients to improve the decision on alternatives [27]. This development can be aligned with the similarities of a perfect arrangement that appeared in equation (26).
where,k The next process is to evaluate the security design tactics with the assistance of its contributing characteristics.

V. IMPLEMENTATION AND RESULTS
Mostly, qualitative assessment is appropriate for prioritizing security design tactics. It is hard to assess the security tactics quantitatively. Various criteria of security tactics and design tactics have been combined together to prioritize security design tactics in this work. Recently, researchers and developers have followed security tactics and other programs with impressive effects and efficacious performance [12]- [14]. Still architects are looking for specific security tactics for applying security in web applications. In addition, security tactics attributes impact performs a noteworthy role in security at the early stage of web application development process [17], [18]. In this paper, the authors suggest that the most apt methodology for prioritizing security design tactics is the hybrid method of Fuzzy AHP-TOPSIS. Authors have designed and discussed the security design tactics in the previous figure 1. For gathering the facts, this paper has taken suggestions of 70 specialists who are from academia and different organizations. With the help of equations , security design tactics prioritization via Fuzzy AHP-TOPSIS has been done as follows: With the assistance of table 1 and equations number (1-9), authors have transformed the language based values into numeric values and its TFNs values. These values are used to construct AHP's pair-wise comparison matrix, further TFNs values are computed as: k 110 12 = (1.0000, 1.0000, 1.0000)⊗(0.1667, 0.2000, 0.2500) ⊗ · · · ⊗ (5.0000, 6.0000, 7.0000 )1/110 = ((1.0000 × 0.1667 × · · · × 5.0000) 1/110 , ×(1.0000 × 0.2000 × · · · × 6.0000) 1/110 , ×(1.0000 × 0.2500 · · · × 7.0000) 1/110 ) = (0.3900, 0.4300, 0.4700) In the same way, the pair-wise comparison matrixes of the level 1 attributes is constructed with the help of equation (10) and shown in table 3.
Using the equations (11)(12)(13), the fuzzy weights of factors are calculated, the computational processes are shown as the succeeding components: global weights for the contributing factors may be computed as presented in table 4. Table 4 shows the ranks achieved in the form of global weights from the local weights of design tactics attributes. According to the achieved results, the highest rank attribute is specialized access in testability tactics. For evaluating the impact of these ranks of the attributes, the authors have collected linguistic values from the experts for eight different alternative web applications which have been developed for BBA University. With the help of table 2 and equation (18), the authors collected and converted the linguistic values into numeric values. With the help of table 2 and equations (3)(4)(5)(6)(7)(8)(9), the numeric values were converted into TFN values. Then the TFN values were aggregated as shown in table 5. With the help of equations (19)(20), normalized fuzzy-decision matrix has been constructed as shown in table 6. Table 7 shows the weighted normalized fuzzy-decision matrix that is obtained with the help of table 4 and equation (21). Finally, with the help of equations (22)(23)(24)(25)(26), Fuzzy Negative Ideal Solution, Fuzzy Positive Ideal Solution, gap degree and satisfaction degree of the alternatives are obtained and shown in table 8.
The satisfaction degree is the decisive criteria for choosing the best alternative from the set of available alternatives [27]. Based on the results from the table 8, it has been inferred that alternative 7 (A7) is the best alternative among all. The worst alternative amongst all is alternative 6 (A6). This study finds that using Fuzzy AHP-TOPSIS is well suited for assessing and selecting the best security tactics for assuring a quality web application.

VI. COMPARISON BETWEEN AHP-TOPSIS METHODS
Different techniques provide different results on the same data [25]. Generally, researchers use one or more techniques to check the accuracy of the results through proposed technique [26]. In this research work, authors used classical AHP-TOPSIS technique to evaluate the accuracy of the results [27]. In classical AHP-TOPSIS, the process of data collection and assessment of that data is same as in Fuzzy AHP-TOPSIS but only difference is that there is no fuzzification required. Hence, the data is taken in its numeric form for classical AHP-TOPSIS. The differences between results of fuzzy and classical AHP-TOPSIS are shown in table 9 and figure 3. Outcomes through classical AHP-TOPSIS method have high correlation between the outcomes of fuzzy AHP-TOPSIS method. Two different methods are used in this work and one of them is the improved method of second method (Fuzzy AHP TOPSIS) because of its accuracy.

VII. SENSITIVITY ANALYSIS
Sensitivity analysis is used to check the validity of estimated results with different variations [25], [26]. In this work, last level of the hierarchy has twenty two factors and henceforth sensitivities are tested through twenty two experiments. The high weights of factor were varied and other factor weights were constant and satisfaction degree of CC −i is calculated through Fuzzy-TOPSIS technique. Table 10 shows the tested results.

VIII. DISCUSSION
The importance of using architectural tactics for security was discussed in 2017 by JCS Santos [10]. This paper has presented an empirical approach to detect the vulnerabilities related to security tactics. The tactics proved to be the proper solution for every architectural issue faced during the assessment of security. All that was needed was an expert architecture or developer to implement. Thus, the assurance of security by using security tactics has emerged as a solution for making a web application secure. Garcia et al. [21] in 2014 gave a methodological approach to implement security tactics for proven security. A case study of tsunami early warning system has been taken in this study to validate the results. Still, Garcia's study lacks proper guidelines which can aid the developers and be adhered to for security tactics.
The present research study used hybrid method of fuzzy AHP-TOPSIS for prioritizing security design tactics to secure web application. Because of the high usage of web applications in different areas, its security has become the need of the day. In addition, exponential growth in security attacks imposes the need to develop web applications that enable high security. Further, outcomes of this research work as follows: • TOPSIS is a method which has rationality, simplicity and good computational efficiency. When TOPSIS method is mixed with fuzzy AHP which gives unambiguous and crisp results, it becomes the most efficient method.
• Security tactics selection among available multiple tactics is a problem that should be approached for a secure web application design.
• Fuzzy AHP-TOPSIS is proved to be an efficient method as per the results achieved through comparison.
• Sensitivity of the results is achieved by changing the variables and it shows that the results are sensitive to the weights.
• Feasible application of security design tactics is a persistent problem of this era and according to its importance it should be given a top priority but is largely ignored. The prioritization of security design tactics will help the developers to pick the important one for security.
• Better empanelment of security tactics into the web application needs thorough assessment and prioritization. According to the results achieved, the most prioritized factor is the specialized access in testability tactics. This affirmation will further help in focusing on the prioritized factors for accomplishing high security.
• The results of the study will help the developers to focus on using more important security tactics for overall security of web application.
The issues and challenges that were identified during this assessment are listed as follows: • The data collected in this paper may be limited to the resources available. Further, the data analysis can be done through different techniques. For example area compensation method has been used in the TOPSIS assessment but other approaches can also be used for the same.
• Other attributes such as modifiability and its sub-attributes have not been considered in this assessment and this might impact the security tactics in a measurable way.
• The future work in this domain might add other attributes to the hierarchy of security design tactics.

IX. CONCLUSION
Effective security and its integration with design tactics in web applications require clarifying the current perceptions of tactics and defining a concrete framework for security and it's engineering. As a first milestone, this paper presented prioritization framework with Fuzzy AHP-TOPSIS methodology for prioritization of design tactics for security of web application. Through the framework and the designed hierarchy, the most prioritized factor is the specialized access in testability. The second high prioritized tactics is Cancel/Undo tactics in support user initiative of usability. Hence, the results validate that for achieving the more secure web application, developer should use tactics of specialized access tactics in testability. The software industry has developed a large number of insecure systems with various vulnerabilities in tactics which makes the application complex and, consequently, less secure. In wake of the increasing cases of security breaches, development of security guidelines which also focus on security tactics is mandatory. Hence, prioritization of security design tactics will decidedly help the architects to make web applications more secure.
MAMDOUH ALENEZI received the M.S. degree from DePaul University, in 2011, and the Ph.D. degree from North Dakota State University, in 2014. He is currently the Dean of the Educational Services and the Chief Information and Technology Officer (CITO) of Prince Sultan University. He has extensive experience in data mining and machine learning, where he applied several data mining techniques to solve several software engineering problems. He has conducted several research areas and development of predictive models using machine learning to predict fault-prone classes, comprehend source code, and predict the appropriate developer to be assigned to a new bug.
ALKA AGRAWAL received the Ph.D. degree from Babasaheb Bhimrao Ambedkar University, (A Central University), Vidya Vihar, Lucknow. She is currently working as an Assistant Professor with the Babasaheb Bhimrao Ambedkar University. She is a passionate researcher and has also published a number of research articles in national and international journals. She has research and teaching experience of more than 13 years. Her areas of research interests include software security and software vulnerability. She is currently working in the fields of big data security, genetic algorithms, and software security.
RAJEEV KUMAR received the master's degree in information technology and the Ph.D. degree in information technology from Babasaheb Bhimrao Ambedkar University (A Central University), Lucknow, Uttar Pradesh, India, in 2014 and 2019, respectively. He is currently working as a Guest Faculty with the Department of Information Technology, Babasaheb Bhimrao Ambedkar University (A Central University). He is young and an energetic researcher. He has more than five years of research and teaching experience. He has also published and presented articles in refereed journals and conferences. His research interests are in the areas of software security, software durability, software reliability, software sustainability, software usability, and software risk.
RAEES AHMAD KHAN is currently working as a Professor and also the Head of the Department of Information Technology and the Dean of the School for Information Science and Technology, Babasaheb Bhimrao Ambedkar University (A Central University), Vidya Vihar, Lucknow, India. He has more than 20 years of teaching and research experience. His areas of interests are software security, software quality, and software testing. He has published a number of national and international books (including Chinese Language), technical article, research articles, reviews and chapters on software security, software quality, and software testing.